North Korean Hackers Poison Axios NPM Package in Wide-Ranging Supply Chain Attack

In a brazen software supply chain attack, threat actors linked to North Korea have injected malicious code into the widely used axios Node Package Manager (NPM) library, potentially exposing millions of developers and organizations. The compromise, detected by Google Threat Intelligence Group (GTIG) on March 31, 2026, targeted versions 1.14.1 and 0.30.4 of axios, a JavaScript library downloaded over 100 million times weekly for HTTP requests.

“This is a highly sophisticated attack that weaponizes a trusted component in the JavaScript ecosystem,” said Adrian Hernandez, senior threat analyst at GTIG. “The attackers leveraged a compromised maintainer account and deployed an obfuscated dropper capable of installing backdoors on Windows, macOS, and Linux systems.”

Background

Azure NPM packages serve as building blocks for countless web applications. The axios library simplifies HTTP client operations and is deeply integrated into both frontend and backend JavaScript projects. Supply chain attacks on such packages can cascade quickly, as every project that updates its dependencies may inadvertently include the malicious code.

The threat actor, tracked as UNC1069, has been active since at least 2018 and has a history of financially motivated campaigns. This group previously deployed the WAVESHAPER backdoor, and the current attack uses its updated variant, WAVESHAPER.V2.

Attack Details

Between March 31, 2026, 00:21 and 03:20 UTC, the attacker introduced a malicious dependency named plain-crypto-js into axios releases. The maintainer’s email address was changed to ifstap@proton.me, indicating account takeover.

The malicious package uses a postinstall hook in package.json to automatically execute an obfuscated JavaScript dropper named setup.js upon installation. “The postinstall hook runs silently in the background, making detection difficult for standard security tools,” explained Dima Lenz, principal security researcher at GTIG.

Malware Analysis

The core dropper, dubbed SILKBELL (SHA256: e10b1fa84f1d6481625f741b69892780140d4e0e7769e7491e5f4d894c2e0e09), performs a dynamic OS check and delivers platform-specific payloads. It uses custom XOR and Base64 obfuscation to hide command-and-control (C2) URLs and execution commands.

To evade static analysis, the script loads fs, os, and execSync at runtime. After successfully dropping the secondary payload, it attempts to delete itself and revert package.json to remove traces.

Operating System-Specific Paths

• Windows: The dropper executes a PowerShell script that downloads and runs the WAVESHAPER.V2 backdoor.
• macOS & Linux: Python-based scripts are used to deploy similar backdoor functionality.

What This Means

“This attack underscores the urgent need for supply chain integrity in open-source ecosystems,” said Ashley Zaya, director of threat intelligence at Mandiant. “Organizations relying on axios should immediately audit their dependency trees and isolate affected versions.”

The compromised packages were published for only a few hours, but the potential blast radius includes any project that updated or installed these versions during that window. Attackers often use such brief exposure windows to target high-value environments before cleanup.

Response and Mitigation

GTIG has released actionable indicators of compromise (IoCs) including C2 addresses and file hashes. Defenders are advised to:

1. Pin package versions and review unexpected dependency additions.
2. Monitor for execution of setup.js through process logging.
3. Enforce code signing and integrity checks on critical dependencies.

“We are working with the NPM registry to remove the malicious packages and notify impacted users,” added Mon Liclican, product security lead at Google.

For a full list of IoCs, refer to the background section above or the original GTIG blog.